Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HelpAssistant Rootlit

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HelpAssistant Rootlit

Unread postby parsec2112 » March 31st, 2010, 8:54 am

I have the "HelpAssistant"/Meboot rootkit

The symtoms:
Excessive churning of the harddisk/processor at start up or sometime after start up(timing varies)
Complete freeze up of system during operation. Sometime all I have after these freeze ups is a
black screen. Sometime just pieces of the task bar, command bar or other parts of the desktop
is left after these freeze ups. At all times the mouse remains operational(I can move it),but it does
not operate anything. Lastly, I don't know if this has been reported but it creates 5 new randomly
named files(even the extension appears to be random)on every start up in the C:\WINDOWS\system32\
folder.

How my "little friend" found me:
Acrobat 6.0
I know....I know a version that I should not be running under any circumstances.
I run that version because I am able to extract graphic out of .pdf's easier than with any other versions.
(the graphics I need for what I do)
And after this I will gladly find a way to work around this and install a newer version.

Depressed and one step away from wiping the system.
Hope somebody can help.

HJT LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:19:49 AM, on 3/31/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\security\installwatch 2.5\InstallWatch.exe
C:\Program Files\Tweak\YzToolbar\yztbr103\YzToolBar.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxctcoms.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Tweak\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Security\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: NitroPDFBHO Class - {CF070CB8-F02F-4af4-A7B7-8D45CAD4BB54} - C:\Program Files\Nitro PDF\PDF Download\NitroPDF.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: StylerToolBar - {D2F8F919-690B-4EA2-9FA7-A203D1E04F75} - C:\Program Files\Tweak\Styler\TB\StylerTB.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
O4 - HKLM\..\Run: [IntelAudioStudio] "C:\Program Files\Intel Audio Studio\IntelAudioStudio.exe" BOOT
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min
O4 - HKCU\..\Run: [RocketDock] "C:\Program Files\RocketDock\RocketDock.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: InstallWatch Pro.lnk = ?
O4 - Global Startup: Tiny Watcher Logon Time.lnk = C:\Program Files\Security\Watcher\Watcher.exe
O4 - Global Startup: YzToolBar.exe.lnk = C:\Program Files\Tweak\YzToolbar\yztbr103\YzToolBar.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save Page As PDF ... - file://C:\Program Files\Nitro PDF\PDF Download\nitroweb.htm
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {AD9E6088-E00B-42f9-9F0C-8480525D234E} - C:\Program Files\Nitro PDF\PDF Download\NitroPDF.dll
O9 - Extra 'Tools' menuitem: PDF Download - Options - {AD9E6088-E00B-42f9-9F0C-8480525D234E} - C:\Program Files\Nitro PDF\PDF Download\NitroPDF.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Flash Decompiler SWF Capture tool - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra 'Tools' menuitem: Flash Decompiler SWF Capture tool menu - {86B4FC19-8FA4-4FD3-B243-9AEDB42FA2D5} - C:\Program Files\Eltima Software\Flash Decompiler\iebt.dll (HKCU)
O9 - Extra button: PDF Download - {F1C0FD6C-A6A0-49a7-A932-71A56461867F} - C:\Program Files\Nitro PDF\PDF Download\NitroPDF.dll (HKCU)
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/file ... _en_US.cab
O16 - DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} (dnlplayer Class) - http://www.digitalwebbooks.com/reader/dbplugin.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 7542225000
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.sonypictures.com/games/luxor/mjolauncher.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.sonypictures.com/games/tumblebugs/axhost.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\wbsys.dll
O23 - Service: Avira AntiVir Scheduler (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe
O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxct_device - - C:\WINDOWS\system32\lxctcoms.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe

--
End of file - 7921 bytes

HJT uninstall_list
ABBYY FineReader 6.0 Sprint
ABC Amber EPS Converter
AceBackup 3
acqurl
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 6.0.1
Adobe Reader Chinese Simplified Fonts
Adobe Reader Chinese Traditional Fonts
Adobe Reader Japanese Fonts
Adobe Shockwave Player
Advanced File Organizer 3.0
Advanced PDF to HTML converter 1.9.9.5
Alien Shooter 1.2
Alien Skin Eye Candy 5 Impact
Alien Skin Eye Candy 5 Nature
Alien Skin Eye Candy 5 Textures
AlienGUIse Theme Manager
ArcExplorer Java Edition
ArcExplorer--Java Edition for Education
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Atomic Clock Sync
Audacity 1.2.6
Audio Transcoder
Avira AntiVir Personal - Free Antivirus
Belarc Advisor 7.2
BellSouth FastAccess DSL Help Center
BroadJump Client Foundation
Business Tycoon
Catalyst Control Center - Branding
CCleaner (remove only)
C-evo
Chak`s Temple 1.0
DelinvFile - 3.01
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
Driver Magician 3.16
DS-Monkey Audio Source 1.00
Easy Graphic Converter 1.2
Easy Macro Recorder 3.61
Eraser 5.82
FastStone Capture 5.2
Flash Decompiler
Font Manager 3.5
Free DWG Viewer 6.1
FreeView 10.1
Freeware PDF Unlocker
GeoCalc
Glary Utilities 2.0
Google Earth
Google Earth Plug-in
Google SketchUp 7
Google Update Helper
Google Updater
GPS TrackMaker
Graboid Video 1.2
Hacker Evolution (1.00.0091) (remove only)
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
HTML Executable Viewer 1.1.0
InCD
InstallWatch Pro 2.5
Intel Audio Studio 2.0
Intel Matrix Storage Manager
Intel(R) Desktop Control Center
Intel(R) PRO Network Connections
Intel(R) Quick Resume Technology Drivers
Intel® Viiv™ Software
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 10
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Lexmark 5400 Series
Lexmark Toolbar
Lizardtech DjVu Control (autoinstall)
Macromedia Dreamweaver 3
MAGIX Xtreme Print Studio 5.0.0.7247 (US)
Magna Sirgas_Pro v.2.0
Malwarebytes' Anti-Malware
MediaCoder 0.7.1.4450
MediaMonkey 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft MSN MoneyCentral Stock Quotes Add-In for Excel
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
Mozilla ActiveX Control v1.7.12
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
MSXML4 Parser
MultiStage Recovery 2.7
Nero Digital
Nero OEM
NeroVision Express Content
Nuclear Coffee - VideoGet 2.0.2.26
Ogg Codecs 0.81.15562
Paint Shop Pro 7
PDF Download for Internet Explorer
Pdf995
PdfEdit995
PDF-XChange PDF Viewer
Personal Backup 4.5
PlaceMarker
PowerDVD
QuickTime Alternative 1.81
Registry Easy v3.0
Revo Uninstaller 1.83
Rise of Nations
RocketDock 1.3.1
RollerCoaster Tycoon 3 Platinum
RollerCoaster Tycoon Deluxe
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Sid Meier's Alpha Centauri
SigmaTel Audio
Signature995
Simple Little Utility for Generating Schemes (SLUGS) 2.1
SodaBush Windowpaper XP v1.01
Sothink SWF Quicker
Sothink Tree Menu
Space Flight 3D Screensaver 1.3
Spybot - Search & Destroy
Star Blaze.1.0
Styler
System Requirements Lab for Intel
Theseus 1.0
Tiny Watcher
TradeKeeper 3.4.5
Tweak UI
UnzipThemAll 1.3
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC80CRTRedist - 8.0.50727.762
VideoLAN VLC media player 0.8.6d
WD SmartWare
WhiteCap
Windows Imaging Component
Windows Installer Clean Up
Windows Media Format Runtime
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB914548
Windows XP Service Pack 3
WinRAR archiver
WinTopo Raster to Vector
WMPCDText 1.1
wxDownload Fast 0.6.0
xp-AntiSpy 3.96-4

TIA
parsec
parsec2112
Regular Member
 
Posts: 16
Joined: March 31st, 2010, 8:31 am
Advertisement
Register to Remove

Re: HelpAssistant Rootlit

Unread postby MWR 3 day Mod » April 3rd, 2010, 11:08 pm

Hi,

We are sorry to see your topic is over three days old and no one has yet been able to respond and offer help.

If you still require assistance, please post a link to your topic in our Waiting for help with malware removal? forum, and our staff will make an effort to assist you as promptly as possible. Only post a LINK to this topic, DO NOT post your DDS log!

Please do not reply to this topic.

If you haven't posted within two days in the "Waiting for help with malware removal?" forum, we will assume you have been able to get assistance in other ways and this topic will be closed.
MWR 3 day Mod
MRU Undergrad
MRU Undergrad
 
Posts: 2534
Joined: April 4th, 2008, 8:40 am

Re: HelpAssistant Rootlit

Unread postby gringo_pr » April 4th, 2010, 10:29 pm

Hello and Welcome to the forums!

My name is Gringo and I'll be glad to help you with your computer problems.

Somethings to remember while we are working together.

    1.Please do not run any other tool untill instructed to do so!
    2.Please reply to this thread, do not start another!
    3.Please tell me about any problems that have occurred during the fix.
    4.Please tell me of any other symptoms you may be having as these can help also.
    5.Please try as much as possible not to run anything while executing a fix.

If you follow these instructions, everything should go smoothly.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

I would like to get a better look at your system, please do the following so I can get some more detailed logs.


DeFogger:

    Please download DeFogger to your desktop.

    Double click DeFogger to run the tool.
    • The application window will appear
    • Click the Disable button to disable your CD Emulation drivers
    • Click Yes to continue
    • A 'Finished!' message will appear
    • Click OK
    • DeFogger may ask you to reboot the machine, if it does - click OK
    Do not re-enable these drivers until otherwise instructed.
IMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.

Download DDS:

    Please download DDS by sUBs from one of the links below and save it to your desktop:

    Image
    Download DDS and save it to your desktop

    Link1
    Link2
    Link3

    Please disable any anti-malware program that will block scripts from running before running DDS.

    • Double-Click on dds.scr and a command window will appear. This is normal.
    • Shortly after two logs will appear:
      • DDS.txt
      • Attach.txt
    • A window will open instructing you save & post the logs
    • Save the logs to a convenient place such as your desktop
    • Copy the contents of both logs & post in your next reply

GMER:

    Download GMER Rootkit Scanner from here or here.
    • Extract the contents of the zipped file to desktop.
    • Double click GMER.exe. If asked to allow gmer.sys driver to load, please consent .
    • If it gives you a warning about rootkit activity and asks if you want to run scan...click on NO, then use the following settings for a more complete scan..
    Image
    • In the right panel, you will see several boxes that have been checked. Uncheck the following ...
      • Sections
      • IAT/EAT
      • Drives/Partition other than Systemdrive (typically C:\)
      • Show All (don't miss this one)
    • Then click the Scan button & wait for it to finish.
    • Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
    Save it where you can easily find it, such as your desktop

    **Caution**
    Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

information and logs:

    In your next post I need the following

      1.logs from DDS
      2.log from GMER
      3.let me know of any problems you may have had

Gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: HelpAssistant Rootlit

Unread postby parsec2112 » April 5th, 2010, 5:32 pm

Hi Gringo
Sorry about the delay.
The first two parts of what you ask me to do went fine.
Defogger
DDS (log attched)
Gmer on the on the hand did not. I did not see your note till about 10:45 my time.
By the time I started Gmer it was 11:15, by 11:45 I had to get some sleep and just
left Gmer running. Somewhere around 2:30 I woke up and it was still running, but the
computer at this time was also in one of its hard churn modes. Sure enough as I watch
the whole thing froze up and I turned it off. (I think there is a possibility I did not untick
one of the items you told me to untick, it was late) I will try to run it again here in a while.

Other problems
Firefox
1. Slow to start up/slow to load pages
2. No longer retains user names or passwords for sites between start ups.
3. No longer able to download anything.(the latest problem)
What I get is two files. The first one carries the name of what I was downloading
but is zero bytes in size. The second is called a 'PART FILE' and is the full size
of what I was trying to download. Change extension of 'part file' to the correct one
attempt to launch.....file corrupt.
Basically.....FF is currently unusable. :(

I.E.
1. Google search results hijacked by ad sites.
Inconsistent pattern, does not happen at all times. In advanced mode it does not happen
at all. Saving grace.....if by accident I click on one of the hijacked results I.E. gives me
a "internet explorer cannot display this page" shell doc. The google cache of the hijacked
results are NOT hijacked.

parsec
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

DDS (Ver_10-03-17.01) - NTFSx86
Run by Rigel at 23:00:03.48 on Sun 04/04/2010
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1021.615 [GMT -4:00]

AV: AntiVir Desktop *On-access scanning enabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir Desktop\sched.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir Desktop\avgnt.exe
C:\Program Files\RocketDock\RocketDock.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\security\installwatch 2.5\InstallWatch.exe
C:\Program Files\Tweak\YzToolbar\yztbr103\YzToolBar.exe
C:\Program Files\Avira\AntiVir Desktop\avguard.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxctcoms.exe
svchost.exe
C:\Program Files\SigmaTel\C-Major Audio\WDM\Stacsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Rigel\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: AcroIEHlprObj Class: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 6.0\reader\activex\AcroIEHelper.dll
BHO: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: NitroPDFBHO Class: {cf070cb8-f02f-4af4-a7b7-8d45cad4bb54} - c:\program files\nitro pdf\pdf download\NitroPDF.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: StylerToolBar: {d2f8f919-690b-4ea2-9fa7-a203d1e04f75} - c:\program files\tweak\styler\tb\StylerTB.dll
TB: Lexmark Toolbar: {1017a80c-6f09-4548-a84d-edd6ac9525f0} - c:\program files\lexmark toolbar\toolband.dll
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
EB: &Research: {ff059e31-cc5a-4e2e-bf3b-96e929d65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
uRun: [RocketDock] "c:\program files\rocketdock\RocketDock.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [ehTray] c:\windows\ehome\ehtray.exe
mRun: [IAAnotif] c:\program files\intel\intel matrix storage manager\iaanotif.exe
mRun: [IntelAudioStudio] "c:\program files\intel audio studio\IntelAudioStudio.exe" BOOT
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [avgnt] "c:\program files\avira\antivir desktop\avgnt.exe" /min
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\instal~1.lnk - c:\program files\security\installwatch 2.5\InstallWatch.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\tinywa~1.lnk - c:\program files\security\watcher\Watcher.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\yztool~1.lnk - c:\program files\tweak\yztoolbar\yztbr103\YzToolBar.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Save Page As PDF ... - file://c:\program files\nitro pdf\pdf download\nitroweb.htm
IE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: SWF Capture tool
IE: {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {AD9E6088-E00B-42f9-9F0C-8480525D234E} - {FF5073C0-28A0-4223-9BDF-59FF020FE77C} - c:\program files\nitro pdf\pdf download\NitroPDF.dll
DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} - hxxp://go.microsoft.com/fwlink/?linkid=58813
DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} - hxxp://www.lizardtech.com/download/file ... _en_US.cab
DPF: {164B406B-0FD6-4E7F-BA7E-64D227D4CA37} - hxxp://www.digitalwebbooks.com/reader/dbplugin.cab
DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} - hxxp://www.update.microsoft.com/windows ... 7542225000
DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} - hxxp://www.sonypictures.com/games/luxor/mjolauncher.cab
DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} - hxxp://www.sonypictures.com/games/tumblebugs/axhost.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277} - hxxp://office.microsoft.com/officeupdat ... /opuc4.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinsta ... s-i586.cab
Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: WB - c:\program files\alienguise\fastload.dll
AppInit_DLLs: c:\windows\system32\wbsys.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\rigel\applic~1\mozilla\firefox\profiles\3i8wvl94.default\
FF - prefs.js: browser.startup.homepage - hxxp://hometab.bellsouth.net/
FF - component: c:\documents and settings\rigel\application data\mozilla\firefox\profiles\3i8wvl94.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\winnt_x86-msvc\components\outwit-3.5.dll
FF - component: c:\documents and settings\rigel\application data\mozilla\firefox\profiles\3i8wvl94.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\winnt_x86-msvc\components\outwit-3.6.dll
FF - component: c:\documents and settings\rigel\application data\mozilla\firefox\profiles\3i8wvl94.default\extensions\{5fb1186a-3398-4c47-b579-0f2eee222ad1}\platform\winnt_x86-msvc\components\outwit.dll
FF - plugin: c:\program files\google\google earth\plugin\npgeplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.183.23\npGoogleOneClick8.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R1 avgio;avgio;c:\program files\avira\antivir desktop\avgio.sys [2010-2-24 11608]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\avira\antivir desktop\sched.exe [2010-2-24 108289]
R2 AntiVirService;Avira AntiVir Guard;c:\program files\avira\antivir desktop\avguard.exe [2010-2-24 185089]
R2 avgntflt;avgntflt;c:\windows\system32\drivers\avgntflt.sys [2009-6-19 56816]
R2 McrdSvc;Media Center Extender Service;c:\windows\ehome\mcrdsvc.exe [2005-8-5 99328]
S3 ALSysIO;ALSysIO;\??\c:\docume~1\rigel\locals~1\temp\alsysio.sys --> c:\docume~1\rigel\locals~1\temp\ALSysIO.sys [?]
S3 cpudrv;cpudrv;c:\program files\systemrequirementslab\cpudrv.sys [2009-12-18 11336]
S3 rkhdrv40;Rootkit Unhooker Driver; [x]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [2010-3-18 11520]
S4 gupdate1c9c85ba029b0ed;Google Update Service (gupdate1c9c85ba029b0ed);c:\program files\google\update\GoogleUpdate.exe [2009-4-28 133104]
S4 WDDMService;WD SmartWare Drive Manager;c:\program files\western digital\wd smartware\wd drive manager\WDDMService.exe [2009-10-14 98304]
S4 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\western digital\wd smartware\front parlor\WDSmartWareBackgroundService.exe [2009-6-16 20480]

=============== Created Last 30 ================

2010-04-05 02:53:37 176 ----a-w- c:\documents and settings\rigel\defogger_reenable
2010-03-31 02:49:03 0 d-----w- C:\HelpAsst_backup
2010-03-31 02:49:02 82944 ----a-w- c:\windows\sed.exe
2010-03-31 02:49:02 77312 ----a-w- c:\windows\mbr.exe
2010-03-31 02:49:02 278016 ----a-w- c:\windows\swreg.exe
2010-03-29 09:12:13 488240 ----a-w- C:\HelpAsst_mebroot_fix.exe
2010-03-28 22:33:12 0 d-sha-r- C:\cmdcons
2010-03-28 22:31:25 261632 ----a-w- c:\windows\PEV.exe
2010-03-21 12:58:11 77312 ----a-w- C:\mbr.exe
2010-03-20 03:38:07 0 d-----w- c:\docume~1\rigel\applic~1\PersBackup
2010-03-20 03:31:22 0 d-----w- c:\program files\Personal Backup 4
2010-03-20 03:15:07 937800 ----a-w- c:\windows\system32\acebitaw.dll
2010-03-20 03:15:05 0 d-----w- c:\program files\AceBIT
2010-03-19 02:27:46 0 d-----w- c:\docume~1\rigel\applic~1\Western Digital
2010-03-19 02:27:41 0 d-----w- c:\docume~1\alluse~1\applic~1\Western Digital
2010-03-19 02:27:27 11520 ----a-w- c:\windows\system32\drivers\wdcsam.sys
2010-03-19 02:27:15 0 d-----w- c:\program files\Western Digital
2010-03-13 17:14:27 0 d-----w- c:\program files\SystemRequirementsLab
2010-03-10 00:29:44 33280 -c--a-w- c:\windows\system32\dllcache\rundll32.exe
2010-03-10 00:29:44 33280 ----a-w- c:\windows\system32\rundll32.exe
2010-03-09 23:33:39 0 d-----w- c:\windows\system32\scripting
2010-03-09 23:33:38 0 d-----w- c:\windows\l2schemas
2010-03-09 23:33:37 0 d-----w- c:\windows\system32\en
2010-03-09 23:33:37 0 d-----w- c:\windows\system32\bits
2010-03-09 23:31:08 0 d-----w- c:\windows\ServicePackFiles
2010-03-09 23:21:54 974 ------w- c:\windows\system32\pid.inf
2010-03-09 22:24:47 66048 -c--a-w- c:\windows\system32\dllcache\s3legacy.dll

==================== Find3M ====================

2010-03-30 04:46:30 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-03-30 04:45:52 20824 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-11 07:38:10 3565056 ----a-w- c:\windows\system32\drivers\ati2mtag.sys
2010-02-11 05:17:44 11845632 ----a-w- c:\windows\system32\atioglxx.dll
2010-02-11 05:07:40 307200 ----a-w- c:\windows\system32\atiiiexx.dll
2010-02-11 04:46:14 442368 ----a-w- c:\windows\system32\ATIDEMGX.dll
2010-02-11 04:45:14 325120 ----a-w- c:\windows\system32\ati2dvag.dll
2010-02-11 04:37:08 290816 ----a-w- c:\windows\system32\atiok3x2.dll
2010-02-11 04:36:00 204800 ----a-w- c:\windows\system32\atipdlxx.dll
2010-02-11 04:35:44 155648 ----a-w- c:\windows\system32\Oemdspif.dll
2010-02-11 04:35:32 26112 ----a-w- c:\windows\system32\Ati2mdxx.exe
2010-02-11 04:35:24 43520 ----a-w- c:\windows\system32\ati2edxx.dll
2010-02-11 04:35:10 155648 ----a-w- c:\windows\system32\ati2evxx.dll
2010-02-11 04:33:56 602112 ----a-w- c:\windows\system32\ati2evxx.exe
2010-02-11 04:32:36 53248 ----a-w- c:\windows\system32\ATIDDC.DLL
2010-02-11 04:25:10 3818144 ----a-w- c:\windows\system32\ati3duag.dll
2010-02-11 04:23:04 45056 ----a-w- c:\windows\system32\aticalrt.dll
2010-02-11 04:22:52 45056 ----a-w- c:\windows\system32\aticalcl.dll
2010-02-11 04:21:14 3227648 ----a-w- c:\windows\system32\aticaldd.dll
2010-02-11 04:19:08 53248 ----a-w- c:\windows\system32\drivers\ati2erec.dll
2010-02-11 04:12:24 2670592 ----a-w- c:\windows\system32\ativvaxx.dll
2010-02-11 04:12:00 887724 ----a-w- c:\windows\system32\ativva6x.dat
2010-02-11 04:12:00 3107788 ----a-w- c:\windows\system32\ativva5x.dat
2010-02-11 03:59:16 49664 ----a-w- c:\windows\system32\amdpcom32.dll
2010-02-11 03:55:40 475136 ----a-w- c:\windows\system32\atikvmag.dll
2010-02-11 03:54:04 126976 ----a-w- c:\windows\system32\atiadlxx.dll
2010-02-11 03:53:46 17408 ----a-w- c:\windows\system32\atitvo32.dll
2010-02-11 03:47:50 626688 ----a-w- c:\windows\system32\ati2cqag.dll
2010-02-11 02:20:00 593920 ------w- c:\windows\system32\ati2sgag.exe
2008-05-19 23:32:25 499 ----a-w- c:\program files\Setup.log

============= FINISH: 23:00:34.18 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_10-03-17.01)

Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 1/18/2007 10:47:01 PM
System Uptime: 4/4/2010 10:55:43 PM (1 hours ago)

Motherboard: Intel Corporation | | D975XBX
Processor: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz | J3E1 | 2133/266mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 233 GiB total, 160.604 GiB free.
D: is CDROM ()
E: is CDROM ()
H: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP947: 4/3/2010 4:18:26 PM - new

==== Installed Programs ======================

AAC Decoder
ABBYY FineReader 6.0 Sprint
ABC Amber EPS Converter
AceBackup 3
acqurl
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Photoshop 7.0
Adobe Reader 6.0.1
Adobe Reader Chinese Simplified Fonts
Adobe Reader Chinese Traditional Fonts
Adobe Reader Japanese Fonts
Adobe Shockwave Player
Advanced File Organizer 3.0
Advanced PDF to HTML converter 1.9.9.5
Alien Shooter 1.2
Alien Skin Eye Candy 5 Impact
Alien Skin Eye Candy 5 Nature
Alien Skin Eye Candy 5 Textures
AlienGUIse Theme Manager
ArcExplorer--Java Edition for Education
ArcExplorer Java Edition
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Atomic Clock Sync
Audacity 1.2.6
Audio Transcoder
AutoUpdate
Avira AntiVir Personal - Free Antivirus
Belarc Advisor 7.2
BellSouth FastAccess DSL Help Center
BroadJump Client Foundation
Business Tycoon
Button Shop
C-evo
Catalyst Control Center - Branding
Catalyst Control Center Core Implementation
Catalyst Control Center Graphics Full Existing
Catalyst Control Center Graphics Full New
Catalyst Control Center Graphics Light
Catalyst Control Center Graphics Previews Common
Catalyst Control Center HydraVision Full
Catalyst Control Center Localization All
ccc-core-preinstall
ccc-core-static
ccc-utility
CCC Help Chinese Standard
CCC Help Chinese Traditional
CCC Help Czech
CCC Help Danish
CCC Help Dutch
CCC Help English
CCC Help Finnish
CCC Help French
CCC Help German
CCC Help Greek
CCC Help Hungarian
CCC Help Italian
CCC Help Japanese
CCC Help Korean
CCC Help Norwegian
CCC Help Polish
CCC Help Portuguese
CCC Help Russian
CCC Help Spanish
CCC Help Swedish
CCC Help Thai
CCC Help Turkish
CCleaner (remove only)
Chak`s Temple 1.0
cliffs
DelinvFile - 3.01
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Version Checker
DivX Web Player
Driver Magician 3.16
DS-Monkey Audio Source 1.00
Easy Graphic Converter 1.2
Easy Macro Recorder 3.61
Eraser 5.82
FastStone Capture 5.2
Flash Decompiler
fly
Font Manager 3.5
Free DWG Viewer 6.1
FreeView 10.1
Freeware PDF Unlocker
GeoCalc
Glary Utilities 2.0
Google Earth
Google Earth Plug-in
Google SketchUp 7
Google Update Helper
Google Updater
GoToMeeting 4.0.0.320
GPS TrackMaker
Graboid Video 1.2
H.264 Decoder
Hacker Evolution (1.00.0091) (remove only)
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
HTML Executable Viewer 1.1.0
IconTweaker 1.12
InCD
InstallWatch Pro 2.5
Intel Audio Studio 2.0
Intel Matrix Storage Manager
Intel(R) Desktop Control Center
Intel(R) PRO Network Connections
Intel(R) Quick Resume Technology Drivers
Intel® Viiv™ Software
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 10
JabRef
Java(TM) 6 Update 13
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Lexmark 5400 Series
Lexmark Toolbar
Lizardtech DjVu Control (autoinstall)
Macromedia Dreamweaver 3
MAGIX Xtreme Print Studio 5.0.0.7247 (US)
Magna Sirgas_Pro v.2.0
Malwarebytes' Anti-Malware
mapping, augmented- freestyle #1
mapping, augmented- freestyle #2
mapping, augmented- study #2
MediaCoder 0.7.1.4450
MediaMonkey 3.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft MSN MoneyCentral Stock Quotes Add-In for Excel
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17
MKV Splitter
Mozilla ActiveX Control v1.7.12
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
MSXML4 Parser
MultiStage Recovery 2.7
Nero Digital
Nero OEM
NeroVision Express Content
Nuclear Coffee - VideoGet 2.0.2.26
Ogg Codecs 0.81.15562
Paint Shop Pro 7
PDF-XChange PDF Viewer
PDF Download for Internet Explorer
Pdf995
PdfEdit995
Personal Backup 4.5
PlaceMarker
PowerDVD
QuickTime Alternative 1.81
Registry Easy v3.0
Revo Uninstaller 1.83
Rise of Nations
RocketDock 1.3.1
RollerCoaster Tycoon 3 Platinum
RollerCoaster Tycoon Deluxe
Security Update for Windows Internet Explorer 7 (KB938127-v2)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Sid Meier's Alpha Centauri
SigmaTel Audio
Signature995
Simple Little Utility for Generating Schemes (SLUGS) 2.1
Skins
SLASHRUN.ORG - THE WAR OF THE WORDS
SodaBush Windowpaper XP v1.01
Sothink SWF Quicker
Sothink Tree Menu
Space Flight 3D Screensaver 1.3
Spybot - Search & Destroy
Star Blaze.1.0
Styler
System Requirements Lab for Intel
Theseus 1.0
Tiny Watcher
TradeKeeper 3.4.5
Tweak UI
UnzipThemAll 1.3
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update Rollup 2 for Windows XP Media Center Edition 2005
VC80CRTRedist - 8.0.50727.762
VideoLAN VLC media player 0.8.6d
WD SmartWare
WebFldrs XP
WhiteCap
Windows Genuine Advantage Validation Tool (KB892130)
Windows Imaging Component
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player Firefox Plugin
Windows XP Media Center Edition 2005 KB888316
Windows XP Media Center Edition 2005 KB914548
Windows XP Service Pack 3
WinRAR archiver
WinTopo Raster to Vector
WMPCDText 1.1
wxDownload Fast 0.6.0
xp-AntiSpy 3.96-4

==== Event Viewer Messages From Past Week ========

4/1/2010 4:58:52 AM, error: Service Control Manager [7023] - The Terminal Services service terminated with the following error: The specified module could not be found.
4/1/2010 4:58:52 AM, error: Service Control Manager [7001] - The Fast User Switching Compatibility service depends on the Terminal Services service which failed to start because of the following error: The specified module could not be found.
3/31/2010 5:40:46 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
3/31/2010 5:40:27 AM, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD avgio avipbb BANTExt Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss ssmdrv Tcpip
3/31/2010 5:40:27 AM, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
3/31/2010 5:40:27 AM, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/31/2010 5:40:27 AM, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
3/31/2010 5:40:27 AM, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
3/31/2010 5:39:34 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
3/31/2010 5:39:23 AM, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
3/30/2010 9:24:15 PM, error: iaStor [9] - The device, \Device\Ide\iaStor0, did not respond within the timeout period.
3/30/2010 10:04:51 PM, error: Service Control Manager [7034] - The WD SmartWare Drive Manager service terminated unexpectedly. It has done this 1 time(s).
3/30/2010 10:04:51 PM, error: Service Control Manager [7034] - The WD SmartWare Background Service service terminated unexpectedly. It has done this 1 time(s).
3/30/2010 10:04:51 PM, error: Service Control Manager [7034] - The SigmaTel Audio Service service terminated unexpectedly. It has done this 1 time(s).
3/30/2010 10:04:51 PM, error: Service Control Manager [7034] - The lxct_device service terminated unexpectedly. It has done this 1 time(s).
3/30/2010 10:04:51 PM, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
3/30/2010 10:04:51 PM, error: Service Control Manager [7034] - The Intel(R) Matrix Storage Event Monitor service terminated unexpectedly. It has done this 1 time(s).
3/30/2010 10:04:51 PM, error: Service Control Manager [7034] - The InCD Helper service terminated unexpectedly. It has done this 1 time(s).

==== End Of File ===========================
parsec2112
Regular Member
 
Posts: 16
Joined: March 31st, 2010, 8:31 am

Re: HelpAssistant Rootlit

Unread postby gringo_pr » April 5th, 2010, 7:28 pm

greetings

I would like you to go ahead and run this let me have the log it makes.

HelpAsst_mebroot_fix

  • Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
  • Close out all other open programs and windows.
  • Double click the file to run it and follow any prompts.
  • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

    • helpasst -mbrt
  • Make sure you leave a space between helpasst and -mbrt !
  • When it completes, a log will open.
  • Please post the contents of that log.

*Note*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.

  • mbr -f
  • Now, please do the Start>Run>mbr -f command a second time.
  • Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
  • Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

    • helpasst -mbrt
  • Make sure you leave a space between helpasst and -mbrt !
  • When it completes, a log will open.
  • Please post the contents of that log.

**Important note to Dell users - fixing the mbr may prevent access the the Dell Restore Utility, which allows you to press a key on startup and revert your computer to a factory delivered state. There are a couple of known fixes for said condition, though the methods are somewhat advanced. If you are unwilling to take such a risk, you should not allow the tool to execute mbr -f nor execute the command manually, and you will either need to restore your computer to a factory state or allow your computer to remain having an infected mbr (the latter not recommended).


gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: HelpAssistant Rootlit

Unread postby parsec2112 » April 5th, 2010, 8:41 pm

Evening
"please allow it to run mbr -f and shutdown your computer"

It did not ask for permission to run mbr -f
Nor did it try to shut down my computer.
I did a manual re-start after the program ran.

Two items:
>I have been relentless in deleting termsrv32.dll when tiny watcher finds it on start up.
This is why we find this line in the log: termsrv32.dll not found
(it did not find it on the original log also)
>In the time it took me to write this post my 'friend' is back.

(if needed I have the log the program created when it first ran(before re-start))
parsec

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
C:\Documents and Settings\Rigel\Desktop\HelpAsst_mebroot_fix.exe
Mon 04/05/2010 at 20:04:58.93

HelpAssistant account was found to be Inactive


~~ Checking for termsrv32.dll ~~

termsrv32.dll not found

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"7118:TCP"=-
"7117:TCP"=-
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"7118:TCP"=-
"7117:TCP"=-
"3389:TCP"=-

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1579027358-493119766-4160484051-1006
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Mon 04/05/2010 at 20:18:24.37

Full Name HelpAssistant
Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85938F00]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor -> 0x85938f00
NDIS: Intel(R) PRO/1000 PL Network Connection -> SendCompleteHandler -> 0x84cf2670
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~
parsec2112
Regular Member
 
Posts: 16
Joined: March 31st, 2010, 8:31 am

Re: HelpAssistant Rootlit

Unread postby parsec2112 » April 5th, 2010, 8:55 pm

Note:
I cannot access the recovery console.
Something about the way my drivers are set up
causes a hard crash before it fully loads.

Oh yes I have been that far and was commited to run fixmbr (and fixboot)...
.....with no luck.

Crash error code
0000007B (0xF7912524 0xC0000034 (all zeros on the other two sets)
That 0xF7912524.....will not get you anywhere. The 0xC0000034 will.

Hope you have some ideas
parsec
parsec2112
Regular Member
 
Posts: 16
Joined: March 31st, 2010, 8:31 am

Re: HelpAssistant Rootlit

Unread postby gringo_pr » April 6th, 2010, 2:00 am

hello parsec2112

I see some tools run that should be run only under supervision. I would like to know if you were helped recently by someone and if so can I have the link do I can check what else may have been done - if you did things on your own I need to know what else you may have done.

Do ypu have a RAID setup for your hard dries?

gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: HelpAssistant Rootlit

Unread postby parsec2112 » April 6th, 2010, 5:50 am

Hi Gringo
"I would like to know if you were helped recently by someone and if so can I have the link do I can check what else may have been done - if you did things on your own I need to know what else you may have done."

First part is easy......No I have been helped by anybody else.
Second part is not so easy. This has been going on for six weeks and frankly I do not remember all the things I have done. I do know this I have avoided using the truely intrusive programs and have avoided dropping scripts into said programs.

It is called softRAID.
And it should not be on this system....but it is.
I do believe it is the key also, but I don't know how to unlock the problem.

more later
parsec
parsec2112
Regular Member
 
Posts: 16
Joined: March 31st, 2010, 8:31 am

Re: HelpAssistant Rootlit

Unread postby gringo_pr » April 6th, 2010, 9:21 am

greetings parsec2112

Thanks for the info. let me look into this problem for now.

gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: HelpAssistant Rootlit

Unread postby gringo_pr » April 7th, 2010, 12:58 am

Hello

I am asking some people to check this with me

I have been relentless in deleting termsrv32.dll when tiny watcher finds it on start up.
"Don't do this before you run the tool please


click Start>Run and type the following bolded command, then hit Enter.

helpasst -reset

Make sure you leave a space between helpasst and -reset !

I would like you to rerun the tool again.

HelpAsst_mebroot_fix

  • Close out all other open programs and windows.
  • Double click HelpAsst_mebroot_fix to run it and follow any prompts.
  • If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
  • Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.

    • helpasst -mbrt
  • Make sure you leave a space between helpasst and -mbrt !
  • When it completes, a log will open.
  • Please post the contents of that log.

*Note*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.
    .
    • mbr -f
  • Now, please do the Start>Run>mbr -f command a second time.
  • Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
  • Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.

    • helpasst -mbrt
  • Make sure you leave a space between helpasst and -mbrt !
  • When it completes, a log will open.
  • Please post the contents of that log.

let me have the new log please

gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: HelpAssistant Rootlit

Unread postby parsec2112 » April 7th, 2010, 7:27 am

Morning Gringo
I am currently at work.
I will try the fix this afternoon when I get home.
(afternoon my time, I believe we are in the same timezone or one off)
I do know that termserv32.dll is currently on the system.
(did not catch it in time to delete)

Also I will be calling the manufacture this p.m. to see
if there is a way to remove softRAID from the system.
Looking at it from the device manager almost all of the
data lines are blank.
In other words a useless device that is just calling trouble.


parsec
parsec2112
Regular Member
 
Posts: 16
Joined: March 31st, 2010, 8:31 am

Re: HelpAssistant Rootlit

Unread postby parsec2112 » April 7th, 2010, 9:56 pm

Evening Gringo

I'm afraid the news is not good....

C:\Documents and Settings\Rigel\Desktop\HelpAsst_mebroot_fix.exe
Wed 04/07/2010 at 20:24:39.19

HelpAssistant account was found to be Inactive


~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

~~ Checking firewall ports ~~

backing up DomainProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"7117:TCP"=-
"7118:TCP"=-
"3389:TCP"=-

backing up StandardProfile\GloballyOpenPorts\List registry key
closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"7117:TCP"=-
"7118:TCP"=-
"3389:TCP"=-

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-1579027358-493119766-4160484051-1006
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

~~ Checking mbr ~~

user & kernel MBR OK

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on Wed 04/07/2010 at 20:52:57.82

Full Name HelpAssistant
Account active Yes
Local Group Memberships *Administrators

~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x85081288]<<
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\iaStor -> 0x85081288
NDIS: Intel(R) PRO/1000 PL Network Connection -> SendCompleteHandler -> 0x84c9e670
Warning: possible MBR rootkit infection !
user & kernel MBR OK
Use "Recovery Console" command "fixmbr" to clear infection !

~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
ServiceDll REG_EXPAND_SZ %systemroot%\System32\termsrv.dll

~~ Checking profile list ~~

No HelpAssistant profile in List

~~ Checking for HelpAssistant directories ~~

none found

~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


~~ EOF ~~

parsec
parsec2112
Regular Member
 
Posts: 16
Joined: March 31st, 2010, 8:31 am

Re: HelpAssistant Rootlit

Unread postby gringo_pr » April 7th, 2010, 11:59 pm

Hello parsec

I would like you to try this and let me know if this works - dont do anything yet just test

    enter the bios and change the "Drive Controller" to "RAID Autodetect/ATA"

    then you should be able to load recovery console.

    After you are done you will need to change that bios setting back to RAID Autodetect/AHCI or Xp will not load.

gringo
User avatar
gringo_pr
Site Moderator
Site Moderator
 
Posts: 1817
Joined: March 31st, 2007, 1:35 pm
Location: puerto rico

Re: HelpAssistant Rootlit

Unread postby parsec2112 » April 8th, 2010, 10:20 pm

Evening Gringo,
I see where you are going.
But I think we have a no go....

The <> hash is the current configuration/The () hash are the options available
(sure hope this html flies)
Enter BIOS:
Advanced/Driver Config/
Use Automatic mode: <enable> (disable)
ATA/IDE: <enhanced> (legacy)
Config SATA as: <AHCI> (IDE) (RAID)
S.M.A.R.T <enable> (disable)

Bailed out.....did nothing.

Idea:
On regular start up and recovery console start up the system loads the RAID drivers.
In fact on pre boot I have a screen that state : press F4 to enter RAID utility.
I know what your are thinking.....I looked.
There is nothing there of use. Why?
Well the driver might be loading but there is nothing attached to them.
First up the exact drivers....
http://i39.tinypic.com/k9ujxe.jpg
And the device is......
http://i40.tinypic.com/dh2wm1.jpg
Let's Flash the BIOS.....oh wait a minute.
http://i42.tinypic.com/1zwyp9v.jpg

Because the RAID drivers are in the path we cannot get into the recovery console, and The Fix will not work.
I tried "do not use this divice(disable)" That did absolutely nothing. Because there is no device.(doh!)
What happens if I uninstall the drivers? (and unregister also???)
They would no longer be in the path. Just not sure how the BIOS would deal with this.

parsec
parsec2112
Regular Member
 
Posts: 16
Joined: March 31st, 2010, 8:31 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 301 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware